UPDATE: Expert: Slammer worm preventable

The attack of Slammer worm that hit thousands of network servers over the weekend is yet another example of companies not keeping virus defences up-to-date, according to security experts.

Surfacing early Saturday morning, the Internet worm – tagged ‘Slammer’ or ‘Sapphire’ by antivirus companies – exploits a security flaw in Microsoft Corp.’s SQL Server 2000 database and MSDE 2000 (Microsoft SQL Server 2000 Data Engine) software. The worm creates a denial of service (DoS) type attack, creating copious amounts of network traffic that clogged many Internet data pipelines.

Jack Sebbag, Canadian general manager and vice-president of Network Associates Inc. in Montreal, said Monday this worm – which originated in the Asia Pacific – is unique from other viruses or worms in that it is primarily affecting company servers and not the average home PC.

Sebbag estimated over 253,000 servers, including ISP servers, have been affected by the worm and tight IT budgets have a lot to do with organizations being caught off guard. “Companies are trying to do more with less,” Sebbag said adding that past network attacks such as Code Red and Nimda should have warned enterprises about the need for strong antivirus protection.

Security expert Thomas Slodichak agreed. The chief security officer of WhiteHat Inc. in Burlington, Ont., noted that it should have been avoided because it was an exploit that played on the known Microsoft vulnerability originally published in July of last year.

In defence of network administrators, Slodichak noted tight IT budgets mean that many enterprises are not devising long-term security policies.

“Network administrators, security personnel and business managers are really stretched to their limit. The largest enemy that a system admin has is time – (both) maintaining security for his outer perimeter on the Internet and the internal threats,” Slodichak said, adding that 70 per cent of security threats are the result of human error.

“Very few companies took advantage of the (patch) and applied it to their servers,” Sebbag explained, adding that this includes large Canadian organizations such as banks, government agencies and enterprises.

“We’re hoping that more and more companies start to invest and implement these technologies,” Sebbag said. “Unfortunately, it takes a really hard hit to make people change policy…a lot of very large companies have been hit and I can assure you that a lot of policies will change as a result of this.”

Along with keeping computers and servers up-to-date, network tools such as vulnerability assessment tools and desktop firewalls are key.

While Slammer has largely been contained, it is still propagating itself – both Slodichak and Sebbag noted it should take a few weeks before the total business costs caused by the worm are determined.

Slammer is a particularly devastating buffer overflow exploit and “unless the industry does come up with a solution to the patching problem, history will repeat itself,” Slodichak said.